Technical University Berlin's Ravi Borgaonkar said websites have tricked Android owners into activating malicious code by selecting on-screen phone numbers.
He added that no Android device could tell the difference between real phone numbers to USSD codes recognized by smartphones as a set of instructions to erase the data from its memory card.
A proportion of the malware seems to only target Samsung devices. Once the malware triggers a factory reset, there was no method of restoring the data, he added.
Android developer Google has since issued a fix, with Borgaonkar urging Android smartphone owners to ensure they have the latest updates installed on their device.
McAfee security expert Jimmy Shah, however, stressed the bug was not an appealing option to cybercriminals. "There's no benefit to the attacker if they can't make money off it or they can't steal your data," he told the BBC. "It's really not that useful."